Researchers at CYFIRMA have discovered a new version of Neptune RAT, a highly advanced Remote Access Trojan (RAT) that targets Windows systems. Written in Visual Basic .NET, this scourge has been spreading rapidly across platforms such as GitHub, Telegram, and YouTube, where it is being marketed with phrases like “Most Advanced RAT.”
“This indicates its widespread use by cybercriminals targeting Windows users,” the researchers said, adding that the RAT’s author has made the malware available without the source code, intentionally obfuscating the executable files to make analysis more difficult.
“Although the developer claims it is a free version, they hint at a more advanced version behind a paywall, and despite the developer’s assertion that the software is intended for educational and ethical purposes, its usage and distribution raise serious security concerns.”
Stealing Credentials, Hijacking Wallet
One of its main aims is credential theft, but it can steal passwords from over 270 applications, including web browsers, email clients, and password managers, too. It also has ransomware functionality, encrypting files with a “.ENC” extension and demanding Bitcoin payments for decryption.
It is also able to hijack cryptocurrency wallets by monitoring clipboard activity and replacing copied wallet addresses with the bad actor’s address, and beyond theft, has destructive capabilities, and is able to rewrite the Master Boot Record (MBR), which can render infected systems completely unusable.
Neptune RAT is designed for stealth and persistence. It disables antivirus software and uses advanced anti-analysis techniques like virtual machine detection to slip through cybersecurity nets.
Its modular design uses DLL files for specific tasks, like exfiltrating passwords or deploying ransomware, and to maintain its presence on infected systems, it modifies registry entries and uses task scheduling. Malefactors can also use it to monitor victims’ desktops in real-time.
This malware is delivered through PowerShell commands that download encoded payloads from file-sharing services like catbox.moe, a method that avoids using executable files during delivery, making detection by traditional security solutions rather more difficult.
Its code is heavily obfuscated with Arabic characters and emojis to hinder reverse engineering efforts.
Software Risk Equals Business Risk
Satish Swargam, Principal Security Consultant at Black Duck, says: “Neptune RAT exemplifies the notion that software risk equates to business risk, with widespread consequences as the victim’s screen can be monitored in real-time and clipboard content can be replaced with attacker’s cryptocurrency wallet addresses.”
Swargam says this threat continues to evolve with new exploits since the techniques are available on GitHub initially meant to be for educational purposes by Freemasonry Group. “Continuous monitoring, robust endpoint protection, and proactive threat detection strategies are crucial to mitigating the impact of this trojan.”
Not Enough Due Diligence
Nivedita Murthy, another Principal Security Consultant at Black Duck, says security enthusiasts are always on the lookout for tools or kits that can help them “learn” how to “hack” into other systems. However, she says less experienced resources do not always conduct the due diligence needed to choose the right tools or evaluate the exact functionality.
“While this malware targets individual users if downloaded on an organization’s device that does not have the right controls and protection in place at all endpoints, it can lead to company data and credentials being stolen, which would lead to a bigger problem,” adds Murthy.
According to a report, on average, less than 50% of firms had adequate controls to limit risk from open-source software, Murthy explains. “Since this malware is easily accessible via GitHub, unsuspecting users can download it and play around with it on their company desktop to test its capabilities easily because the controls are not in place. This emphasizes the need to protect all endpoints that developers interact with to ensure organizations are protected from malware.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.